 TA的每日心情 | 奋斗
3 天前 |
|---|
签到天数: 2370 天 [LV.Master]伴坛终老
|
转载请注明出处:http://hi.baidu.com/biweilun
/ A. N4 E- O" E8 r4 w2 C我现在对百度的新聊天工具进行了稍微深入的分析,再下一步的分析工作就是在汇编调试里面展开的了。先说下我发现的可能威胁:
0 b0 r0 X7 y; X o1 t1、Swf文件跨站漏洞, ~1 l0 H( @4 v ?! O* T0 `
在Baidu Hi 的安装文件夹里的MovieData文件夹里面有3个swf文件,分别是loginCarton.swf,videoConnectingBig.swf和videoConnectingSmall.swf。其中,loginCarton.swf的可能别利用漏洞最大,这点上百度不如腾讯,没有做好swf文件的内嵌工作,让swf文件暴露在外面。病毒可以感染并放入恶意的swf文件来覆盖他们。loginCarton.swf是baiduhi的启动画面,这是非常危险的,因为swf木马在网上非常流行。还有,病毒要获取这个目录非常简单,只要以system来读取注册表就好,路径会保存在注册表的[HKEY_LOCAL_MACHINE\SOFTWARE\3D SoftWare]下的"path"键值里面,如果修改注册表,人为改变该键值,可能引发更大的危机!
- ]' x# O$ S" h4 |![]()
, _; L' d! I# M* W) X8 ~0 j% M2、自动升级漏洞
9 _4 n: o) F4 j, [( m: N. U该漏洞目前没有测试,不过应该将来会盛行的。因为目前大家的Baidu HI都是最新版,不需要升级。将来如果需要升级的时候,这个漏洞就很危险了。Baidu Hi 的升级文件在AutoUpdate文件夹里面,8 |8 ?0 _4 R- Y @
$ I- o$ [& B: R, b3 T# i![]()
$ b8 i, o y9 q5 `. [, l3 qBaiduHiUpdate.exe文件通过调用config.ini文件来升级,我们来看config.ini文件的代码:" t3 `" l/ |& d% b/ ^
[AutoUpdate]
# {* h. }# R4 m xConfigFileUrl=http://update.im.baidu.com/AutoUpdate/AutoUpdate.xml; y' t" T6 L8 u# X3 R0 V
IsAutoUpdate=1
& K' y* Q2 l9 b9 i4 LConfigFileKey1=3F26F386EB827C141DF8FE539B7ECDF4
! g- J: c3 T0 `8 B8 o- r: l2 HConfigFileKey2=128509257100000000
& i# `' g8 U9 f: \) x& DLSTm_AutoUpdate=1206596754
0 O, j5 n8 T$ n7 g" T9 D( z( @看来使用的是下载http://update.im.baidu.com/AutoUpdate/AutoUpdate.xml这个文件,我下载下来打开一看,这个文件和AutoUpdate文件夹里面的那个AutoUpdate.xml文件内容相同。代码都是如下的: C2 c* C4 g* j/ ^. t1 @1 i7 q
<AutoUpdate version="1.0">3 d' u. t! u6 c, g' [
<Updater version="1.0.0.8" url="http://update.im.baidu.com/AutoUpdate/updater48-49.cab" md5="8312201dc14e0ff595680f6bcf4d0fb1" hint="update 49">
- N* K5 h( b. z/ t; b<File name="atl71.dll" dest="updater:\" type="bin" operation="add" /> - F+ k( T+ H4 [' _
<File name="AutoInstall.exe" dest="updater:\" type="bin" operation="add" />
; p3 R# t r( T& ~0 |& \/ c<File name="AutoUpdateUtil.dll" dest="updater:\" type="bin" operation="add" />
$ p/ e9 Q0 |7 }<File name="BaiduHiUpdate.exe" dest="updater:\" type="bin" operation="add" /> 8 x) U1 Y' e+ c8 |/ Q
<File name="Basement.dll" dest="updater:\" type="bin" operation="add" />
6 U4 T ? n/ e4 V- n& m2 G<File name="config.ini" dest="updater:\" type="resource" operation="add" />
2 e1 b: s. n7 u<File name="msvcp71.dll" dest="updater:\" type="bin" operation="add" />
: U% W% Y% \* G# O# q. a) A<File name="msvcr71.dll" dest="updater:\" type="bin" operation="add" />
$ E! R1 _5 G0 b3 _# d, R6 j<File name="resource.db" dest="updater:\" type="resource" operation="add" />
/ \2 C/ B! r: n. v1 |& Q2 a5 m& [<File name="VersionInfo.xml" dest="updater:\" type="resource" operation="add" />
- N, J6 h, w+ g3 ]1 \' t</Updater>
3 K# M0 f: x& P7 k6 E6 K9 V<Module name="BaiduHi" version="1.0.1.0" level="forcePrompt">
1 b' _; p$ {0 P- Y( ]$ _<Upgrade versi hint="update 49" md5="f684d6220bb2771433410e482287cc58" url="http://update.im.baidu.com/AutoUpdate/upgrade48-49.cab">% N2 M% F C/ x4 H' M3 M
<File name="AppUtil.dll" dest="BaiduHi:\" type="bin" operation="add" /> 2 m: h, D6 R4 t* i: b- @, O/ ?! E- `
<File name="BaiduHi.exe" dest="BaiduHi:\" type="bin" operation="add" />
/ H V! D3 L( P<File name="Basement.dll" dest="BaiduHi:\" type="bin" operation="add" /> ! ~# M* c6 l% p x. s8 z% a
<File name="BugReport.exe" dest="BaiduHi:\" type="bin" operation="add" /> ( X4 B+ |6 A5 C1 K" K5 E, q
<File name="CSTransfer.dll" dest="BaiduHi:\" type="bin" operation="add" /> 0 f5 o' {* J* n% ?( o. g* d
<File name="HistoryExplorer.dll" dest="BaiduHi:\" type="bin" operation="add" /> ! k9 A' A0 Q! @
<File name="ImEngine.dll" dest="BaiduHi:\" type="bin" operation="add" /> 6 |0 {" b& s4 f4 a% c- H2 Y" H
<File name="ImStorage.dll" dest="BaiduHi:\" type="bin" operation="add" /> % N' {7 `2 n5 L0 B. |* S
<File name="LocalLog.dll" dest="BaiduHi:\" type="bin" operation="add" />
4 W( ^5 c6 k/ m, A( ]' V4 q<File name="NetService.dll" dest="BaiduHi:\" type="bin" operation="add" />
; j1 A9 Z% B: l2 o3 z/ T8 N<File name="RUDPLib.dll" dest="BaiduHi:\" type="bin" operation="add" />
; O# Z7 z; @% N, S/ q6 L<File name="SkinDLL.dll" dest="BaiduHi:\" type="bin" operation="add" /> 3 |6 q2 ~3 ]6 z) r: x6 `, _
<File name="UPnPDll.dll" dest="BaiduHi:\" type="bin" operation="add" />
7 E' U* W7 [ v% r2 ]: j5 r<File name="VersionInfo" dest="BaiduHi:\" type="resource" operation="add" /> 5 t, q0 w( I7 B- g4 C) T
<File name="fmmgr.dll" dest="BaiduHi:\" type="bin" operation="add" /> % n6 _9 I$ z& @( p) v# i% w7 }$ J
<File name="imcs.dll" dest="BaiduHi:\" type="bin" operation="add" />
+ k( @" Y2 w( l" _8 v<File name="uninst.exe" dest="BaiduHi:\" type="bin" operation="add" />
* Y$ G8 b! @% i8 T- A</Upgrade>5 |4 {$ {' Z3 \( B* B3 G- t
<FullPackage hint="update 49" md5="3af7588de47c7fdcb9ca5421de4c444c" url="http://update.im.baidu.com/AutoUpdate/fullpackage48-49.cab">9 S; [1 O# `, N/ R% i
<File name="AppUtil.dll" dest="BaiduHi:\" type="bin" operation="add" />
9 _9 u9 E7 f8 L) @/ e, G7 {<File name="BaiduHi.exe" dest="BaiduHi:\" type="bin" operation="add" /> ( e [: L- J/ r$ u
<File name="Basement.dll" dest="BaiduHi:\" type="bin" operation="add" />
" A: d n1 d3 d+ A' _: h- t5 s6 o/ S<File name="BugReport.exe" dest="BaiduHi:\" type="bin" operation="add" /> % _# v. q3 D! l& @# q) q0 t
<File name="CSTransfer.dll" dest="BaiduHi:\" type="bin" operation="add" /> 7 v. @3 S8 \/ j @* r: r6 n( p
<File name="HistoryExplorer.dll" dest="BaiduHi:\" type="bin" operation="add" /> + g+ _& U f* x4 u$ K, X m
<File name="ImEngine.dll" dest="BaiduHi:\" type="bin" operation="add" /> 2 V/ C8 w6 h8 G! U( D0 y, @. e
<File name="ImStorage.dll" dest="BaiduHi:\" type="bin" operation="add" />
5 x' m G) i6 \$ A% t k<File name="LocalLog.dll" dest="BaiduHi:\" type="bin" operation="add" /> # X- O# K1 q" ~4 ?" Y6 F; E
<File name="MovieData\loginCarton.swf" dest="BaiduHi:\MovieData\" type="resource" operation="add" /> " e- j" e1 _2 s& E7 q5 g
<File name="MovieData\videoConnectingBig.swf" dest="BaiduHi:\MovieData\" type="resource" operation="add" /> 0 @# Q. {3 J% B0 N
<File name="MovieData\videoConnectingSmall.swf" dest="BaiduHi:\MovieData\" type="resource" operation="add" /> 0 W: X7 B+ y V
<File name="NetService.dll" dest="BaiduHi:\" type="bin" operation="add" /> 2 @# F7 u8 O* \6 F
<File name="RUDPLib.dll" dest="BaiduHi:\" type="bin" operation="add" />
" u( t) S: D+ y1 k; S" ^2 O% E3 r+ _9 ^<File name="ServerConfig.dat" dest="BaiduHi:\" type="resource" operation="add" />
3 P, ?$ z$ o$ N5 R C H0 ^8 R6 V<File name="SkinDLL.dll" dest="BaiduHi:\" type="bin" operation="add" />
9 ^3 p! l S2 d<File name="SysCustomStatus.xml" dest="BaiduHi:\" type="resource" operation="add" /> - L, Y& `4 a! ~* I% `- f; D
<File name="UPnPDll.dll" dest="BaiduHi:\" type="bin" operation="add" />
: h* h1 \* B5 H8 i5 z<File name="VersionInfo" dest="BaiduHi:\" type="resource" operation="add" /> 1 B. F" ~: u- n: Y
<File name="atl71.dll" dest="BaiduHi:\" type="bin" operation="add" /> ! p% R# X7 Y& `
<File name="dbghelp.dll" dest="BaiduHi:\" type="bin" operation="add" />
4 h }/ B7 U% U$ W* ?. z9 w7 Z<File name="fmmgr.dll" dest="BaiduHi:\" type="bin" operation="add" />
; B+ ]1 S/ S* t$ a8 @7 @* O<File name="imcs.dll" dest="BaiduHi:\" type="bin" operation="add" />
# X; h& M9 `' ~% U( A<File name="licence.txt" dest="BaiduHi:\" type="resource" operation="add" />
& y% g! @' e- A/ u<File name="mediactrl.dll" dest="BaiduHi:\" type="bin" operation="add" /> 7 U' K3 _( ~+ X) l7 P
<File name="msvcp71.dll" dest="BaiduHi:\" type="bin" operation="add" />
/ D1 q3 V3 P* p" g* _' {1 }<File name="msvcr71.dll" dest="BaiduHi:\" type="bin" operation="add" /> : g/ E1 c9 V; ? e2 `
<File name="resource.db" dest="BaiduHi:\" type="resource" operation="add" />
2 z: k5 ^# g/ j* m<File name="riched20.dll" dest="BaiduHi:\" type="bin" operation="add" />
. M% U1 V6 t5 c* Z' T8 ~! G! H0 A<File name="skin\default.db" dest="BaiduHi:\skin\" type="resource" operation="add" /> " j, v7 K4 X3 I# H# U
<File name="skin\rose.db" dest="BaiduHi:\skin\" type="resource" operation="add" /> # Q; Y1 \( t+ u
<File name="sound\msg.wav" dest="BaiduHi:\sound\" type="resource" operation="add" /> / z& {& x- ]. A' q
<File name="sound\online.wav" dest="BaiduHi:\sound\" type="resource" operation="add" />
, B( a6 Y4 z+ T# |, `<File name="sound\phone.wav" dest="BaiduHi:\sound\" type="resource" operation="add" />
" B! W& w( c& F% [' J& T" E3 k7 b<File name="sound\snapshot.wav" dest="BaiduHi:\sound\" type="resource" operation="add" />
4 H( g8 [4 q* F( p# a# E<File name="sound\system.wav" dest="BaiduHi:\sound\" type="resource" operation="add" /> ( R' G3 D! } J( O
<File name="sysimage\FaceError.gif" dest="BaiduHi:\sysimage\" type="resource" operation="add" />
9 J' M; _& k- v' u& R/ y<File name="sysimage\FaceLoading.gif" dest="BaiduHi:\sysimage\" type="resource" operation="add" /> # N# b' r/ t5 D! O
<File name="sysimage\ImageError.gif" dest="BaiduHi:\sysimage\" type="resource" operation="add" />
, w5 u6 B- f: ~<File name="sysimage\ImageLoading.gif" dest="BaiduHi:\sysimage\" type="resource" operation="add" /> ' ~2 t5 _5 T4 A: `; r% H1 z
<File name="uninst.exe" dest="BaiduHi:\" type="bin" operation="add" /> 1 d X# k1 ?6 w9 b+ Y9 f
<File name="zlib1.dll" dest="BaiduHi:\" type="bin" operation="add" />
0 h) N# I4 d, E Y" p</FullPackage>
& d6 {1 k9 v. [& P( E7 m2 M</Module>3 H# Z( W9 U7 B1 C. G
</AutoUpdate>5 j2 c8 a+ }7 p7 m" t6 c& O
通过AutoUpdate.xml文件来下载http://update.im.baidu.com/AutoUpdate/updater48-49.cab ,我们可以通过构造恶意的config.ini,然后让程序下载我们构造的恶意AutoUpdate.xml,再让程序通过AutoUpdate.xml下载恶意构造好的cab安装包,释放。还是危害挺大的!- B. f* {) J0 ^) p$ c
最后忠告大家,不要下载除官方以外任何地方的Baidu Hi !否则后够可能很严重,这次我发现的这两个漏洞的利用说容易也容易,说不容易也不容易,本人如上所说只是一点肤浅之见,没什么技术含量,只是觉得软件搞这么明文不好。提醒大家小心一点而已,没有别的意图,更没有哗众取宠的意思。 |
|
/1 
IP卡
狗仔卡
发表于 2008-3-29 11:38:10
QQ好友和群
QQ空间
腾讯微博
腾讯朋友
收藏
分享
顶
踩
转发到微博
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
抢沙发
千斤顶
显身卡